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About This Guide 


This Internet Protocol version 6 (IPv6) Administration Guide provides information about the basic 
features of IPv6, transition mechanisms from IPv4, and how to set up the IPv6 network. Novell® 
IPv6 now ships with Novell TCP/IP stack as an additional component. 


This guide is divided into the following sections: 
+ Chapter 1, “Understanding IPv6,” on page 9 
+ Chapter 2, “Transitioning from IPv4 to IPv6,” on page 15 
+ Chapter 3, “Setting Up Novell IPv6,” on page 21 
+ Chapter 4, “Configuring a Secure Channel using IPv6,” on page 37 
e Chapter 5, “Configuring RIPng for IPv6,” on page 41 
+ Chapter 6, “Using Novell IPv6 in Your Network,” on page 43 
+ Chapter 7, “Frequently Asked Questions,” on page 47 


Audience 


This guide is intended for network administrators. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comment feature at the bottom of each page of the 
online documentation, or go to Novell online documentation (http://www.novell.com/ 
documentation/feedback. html). 


Documentation Updates 


For the most recent version of the NW 6.5 SP8: IPv6 Administration Guide, see the NetWare 6.5 SP8 
Documentation Web site (http://www.novell.com/documentation/nw65). 


Documentation Conventions 


In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and 
items in a cross-reference path. 


In this documentation, a trademark symbol (e. TM. etc.) denotes a Novell trademark. An asterisk (*) 
denotes a third-partv trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as UNIX*, should use forward slashes as required by your software. 


About This Guide 
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Understanding IPv6 


IPv6 is a network layer protocol that resolves the inherent IPv4 problems and incorporates many 
enhancements. IPv6 solves the Internet scaling problem (addresses), provides a flexible transition 
mechanism, meets the needs of mobile users, and supports automatic configuration (plug-and-play). 


This section provides the following information about IPv6: 


¢ Section 1.1, “Understanding IPv6,” on page 9 
¢ Section 1.2, “Comparing IPv4 and IPv6,” on page 12 
¢ Section 1.3, “Implementing Novell IPv6,” on page 12 


1.1 Understanding IPv6 


With the unprecedented growth of the Internet and the steady increase of users who use the Internet 
for varied services, there is a need to increase the Internet address spaces. This is to facilitate real- 
time traffic, flexible congestion control schemes, security, and privacy. The emerging range of 
network intelligent devices such as mobile phones and home area networks, has further accentuated 
the need for larger address spaces. 


IPv6 aims to provide larger address spaces to overcome the shortcomings of IPv4. To ensure that 
IPv6 provides all the features that IPv4 does not, the Internet Engineering Task Force (IETF) 
revisited the definition and functionality that IPv4 offered. IPv6 is designed to produce a streamlined 
format while integrating support for emerging services such as expanded address configuration, 
quality of service, security, and support for mobile devices. 


This section explains the following: 


¢ Section 1.1.1, “IPv6 Header Format,” on page 9 

¢ Section 1.1.2, “IPv6 Addressing,” on page 10 

¢ Section 1.1.3, “IPv6 Security,” on page 11 

+ Section 1.1.4, “IPv6 Routing,” on page 11 

¢ Section 1.1.5, “Quality-of-Service Capabilities,” on page 11 
¢ Section 1.1.6, “Address Auto Configuration,” on page 11 


¢ Section 1.1.7, “Path Maximum Transfer Unit,” on page 11 


1.1.1 IPv6 Header Format 


Unlike in IPv4, IPv6 options are placed in separate extension headers and are located between the 
IPv6 headers and the transport layer headers. IPv6 does not require all the routers on a path to 
examine these header options. The redundant fields from the IPv4 header have been removed for 
IPv6. These improvements enhance the IPv6 protocol performance, because they cut down on the 
additional processing. 


The following diagram shows the IPv6 header. 
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Figure 1-1 Header Format 
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The optional Internet layer information is encoded in separate headers that can be placed between 
the IPv6 header and the upper-layer header in a packet. These extension headers are identified by a 
distinct next-header value. The IPv6 packet might or might not carry these extension headers. The 
following are the currently defined extension headers options: 


Table 1-1 Header Functionality 


Option Functionality 

Authentication Integrity and authentication 

Destination options 1 Options to be examined by intermediate nodes 
Destination options 2 Options to be examined by destination node only 
Fragmentation Fragmentation and reassembly 

Hop-by-Hop Special option for processing at every node 
Routing Extended routing (loose source route) 

Security encapsulation Confidentialitv 


1.1.2 IPv6 Addressing 


IPv6 addresses are 128 bits and identify interfaces or sets of interfaces. The following are the three 
types of IPv6 addresses: 


+ Unicast: identifies a single interface. 


+ Anycast: identifies a set of interfaces. A packet sent to this address is forwarded to the nearest 
interface with the same address, according to the routing protocols' measure of distance. 


+ Multicast: identifies a group of interfaces. A packet sent to this address is sent to all interfaces 
in the group. 


The IPv6 address space is the following: 
2 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 
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1.1.3 IPv6 Security 


IPv6 offers the following integrated security services: 


+ The IPv6 Authentication Header provides authentication to IPv6 datagrams. 


+ The IPv6 Encapsulating Security Header provides integrity and confidentiality to IPv6 
datagrams. 


1.1.4 IPv6 Routing 


RIPv6 and OSPFV6 are protocols that enable routers to exchange information for computing routes 
through an IPv6 network. The RIPv6 and OSPF V6 protocols must be implemented only on routers, 
because IPv6 hosts use the Neighbor Discovery Protocol to retrieve information about their 
neighboring nodes. The RIPv6 protocol works on UDP and the OSPFV6 protocol works on IPv6. 


1.1.5 Quality-of-Service Capabilities 


The IPv6 protocol provides some Quality-of-Service (QoS) mechanisms for those packets that 
require special handling. The Flow Label and Traffic Class fields in the IPv6 header are used to 
identify these packets, which include packets that require nondefault quality of service, real-time 
service, or relative priority. This is especially useful for real-time and multimedia applications. 


Two types of header fields enable QoS: 


e Flow Label: identifies a flow, which is a sequence of packets sent from a particular source to a 
particular destination or multiple destinations for which the source desires special handling. 


¢ Traffic Class: identifies and distinguishes between different classes or priorities of IPv6 
packets. 


1.1.6 Address Auto Configuration 


Address auto configuration enables a host to automatically learn its interface addresses. This enables 
the host to operate in a plug-and-play mode. 


1.1.7 Path Maximum Transfer Unit 


Every network interface has a maximum packet size that it can transfer across the network. This is 
called the interface’s Maximum Transfer Unit (MTU). The complete path that data packets travel to 
reach the destination might span across many routers with different MTUs. The smallest MTU 
among all the routers in a path is referred as the path MTU. 


If a packet starts out on a network segment with a large MTU, it might arrive at a router with a 
smaller MTU. The intermediate routers are not allowed to fragment the packet and, therefore the 
packet would not be able to traverse through this link. 


Before sending the data packets, we it is recommended that each host perform the path MTU 
discovery process and determine the optimum size for the full path from the source to the 
destination. To ascertain the path MTU, the host can send out a probe packet of the largest size 
possible. If it cannot traverse through some link in the path, the host receives a Packet Too Big 
notification and is further informed about the optimum size of data packets that can be sent through 
that link. 
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The path MTU for each interface can be configured in the ip6. cfg file. The size specified in this 
file becomes the maximum size of the outgoing data packet from that network link. 


1.2 Comparing IPv4 and IPv6 


The following features differentiate IPv6 from IPv4: 


+ The IPv6 header (40 bytes) is double the size of the IPv4 header (20 bytes). 
+ IPv6 (128 bits) has four times as many address bits as IPv4 (32 bits). 


+ IPv6 has stackable extension headers that replace the IPv4 options. Several extension headers 
can be stacked on top of the previous extension headers. 


+ The IPv6 header is not protected by checksum. Instead, UDP checksumming is mandated in 
IPv6. 


+ Fragmentation-related fields now belong to the fragment extension header in IPv6. 
¢ The length of the header, protocol type, and the Time to Live are redefined in the IPv6 header. 
+ Intermediate fragmentation is not allowed in IPv6. 


Two additional features are improvements over IPv4: 


+ Addressing Differences (page 12) 
¢ Configuration (page 12) 


1.2.1 Addressing Differences 


IPv6 supports private and public addresses as part of the architecture and associates them with a 
lifetime. IPv4 added the concept of scope or private addresses at a later time. Mechanisms like 
Dynamic Host Control Protocol try to associate lifetime to addresses in IPv4. 


IPv6 addresses uses unicast, multicast, and anycast addresses. IPv4 does not have the anycast 
addressing as part of the base specification. 


1.2.2 Configuration 


IPv6 brings in plug-and-play support for hosts as part of the base specification. Routers can be 
configured to advertise subnet prefixes and MTU parameters. Most of the facilities provided by 
IGMP router discovery and ARP in IPv4 are provided as part of the Neighbor Discovery protocol in 
IPv6. 


1.3 Implementing Novell IPv6 


IPv6 on NetWare® enables the use of the IPv6 protocol natively over the NetWare server platform 
by NetWare applications like NDS®, Proxy, and Winsock. NetWare does this by using the IPv6 
features that best suit Novell software. Also, IPv6 is used as a part of the existing TCP/IP stack and 
functions as an add-on component for TCP/IP. 


The following RFCs are supported by the Novell IPv6 protocol: 


RFC 2460 - Internet Protocol version 6 (IPv6) Specification 
RFC 2461 - Neighbor Discovery for IPv6 
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RFC 2462 - IPv6 Stateless Address Autoconfiguration 

RFC 2463 - Internet Control Message Protocol (ICMPv6) 

RFC 2464 - Transmission of IPv6 Packets over Ethernet Networks (Only EthernetII Format) 
RFC 2553 - Basic Socket Interface Extensions for IPv6 

RFC 2373 - IPv6 Addressing Architecture 

RFC 2893 - Transition Mechanisms for IPv6 Hosts and Routers 


Understanding IPv6 13 
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Transitioning from IPv4 to IPv6 


Moving exclusively to IPv6 is not a practical option for most organizations. Therefore, it is possible 
to make the move gradually and to use mixed environments while the transition is taking place. The 
question for most organizations is when, how, where, and how much to transition. 


Some individual networks within an organization can be upgraded as a whole, creating small IPv6 
networks surrounded by IPv4 networks, but IPv4/IPv6 gateways are necessary at the borders of 
these networks to interoperate with IPv4 networks. Different IPv6 networks can also communicate 
with each other through the IPv4 Internet by setting up IPv6/IPv4 tunnels. 


Some organizations will migrate host by host, with dual-protocol IPv4/IPv6 nodes scattered 
throughout the existing IPv4 network. These nodes can interoperate with each other in native IPv6, 
or with IPv6 nodes outside the network by tunneling IPv6 inside IPv4 packets. 


See the following sections for more information about how IPv6 interoperability with IPv4 is 
enabled: 


e Section 2.1, “Dual Stack,” on page 15 
¢ Section 2.2, “Tunneling,” on page 16 


¢ Section 2.3, “Testing Your Setup with 6Bone,” on page 18 


2.1 Dual Stack 


The IPv6 dual stack mode assumes the following: 


+ Both IPv4 and IPv6 stacks are enabled 
+ Applications can talk to both IPv6 and IPv4 


¢ Your choice of the IP version is based on name lookup and application preference 
The following diagram shows the dual stack approach. 


Figure 2-1 Dual Stack 
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Dual stack hosts can handle both IPv4 and IPv6 clients by using IPv4-mapped IPv6 addresses. For 
example, the following process shows how an IPv4 TCP client communicates with an IPv6 server: 
1. The IPv6 server starts and creates an IPv6 listening socket. 
2. The IPv4 client calls gethostbyname and finds a record for the server. 
3. The client calls connect and the client’s host sends IPv4 SYN to the server. 
4 


. The server host receives the IPv4 SYN directed to the IPv6 listening socket. The server sets a 
flag indicating that this connection is using IPv4-mapped IPv6 addresses and responds with an 
IPv4 SYN/ACK. 


5. All communication between the client and server takes place using IPv4 datagrams. 


6. Unless the server explicitly checks whether this IPv6 address is an IPv4-mapped IPv6 address, 
the server never knows that it is communicating with an IPv4 client. 


2.2 Tunneling 


Tunneling requires only edge ingress and egress router upgrades until native IPv6 networks are 
commercially deployed or offered end-to-end. Two tunneling mechanisms are explained here: 
e Section 2.2.1, “Automatic and Configured Tunneling,” on page 16 


¢ Section 2.2.2, “Default Configured Tunnel,” on page 18 


2.2.1 Automatic and Configured Tunneling 


IPv6/IPv4 hosts and routers can tunnel IPv6 datagrams over regions of IPv4 routing topology by 
encapsulating them within IPv4 packets. Tunneling can be used in the following ways: 


+ Router-to-Router: IPv6/IPv4 routers interconnected by an IPv4 infrastructure can tunnel IPv6 
packets between themselves. 


+ Host-to-Router: IPv6/IPv4 hosts can tunnel IPv6 packets to an intermediary IPv6/IPv4 router 
that is reachable through an IPv4 infrastructure. This type of tunnel spans the first segment of 
the packet’s end-to-end path. 

+ Host-to-Host: IPv6/IPv4 hosts that are interconnected by an IPv4 infrastructure can tunnel 
IPv6 packets between themselves. In this case, the tunnel spans the entire end-to-end path that 
the packet takes. 


+ Router-to-Host: IPv6/IPv4 routers can tunnel IPv6 packets to their final destination IPv6/IPv4 
host. This tunnel spans only the last segment of the end-to-end path. 


e “Automatic Tunneling” on page 16 


+ “Configured Tunneling” on page 17 


Automatic Tunneling 


In the Host-to-Host and Router-to-Host scenarios, IPv6 packets are tunneled all the way to the 
destination. The tunnel end point is the node that the IPv6 packet is addressed to. Because the end 
point of the tunnel is the destination for the IPv6 packet, the tunnel end point can be determined 
from the destination IPv6 address of the packet. If the address is an IPvd-compatible address (RFC 
2373), the lower-order 32 bits hold the IPv4 address of the destination node and can be used as the 
tunnel end point address. 


16 NW 6.5 SP8: Novell IPv6 Administration Guide 


This avoids the need for explicit configuration of the tunnel end point address, which is the reason 
this method is known as automatic tunneling. It requires that the IPv6 address must be an 
IPv4-compatible IP address. 


IPv6/IPv4 nodes need to determine which IPv6 packets can be sent through automatic tunneling. 

One method is to use the IPv6 routing table to direct automatic tunneling. You can have a special 
static routing table entry for the prefix 0:0:0:0:0:0/96 (that is, a route to the all-zeros prefix with a 
96-bit mask). 


Packets that match this prefix are sent to a pseudo-interface driver which performs automatic 
tunneling. Because all IPvd-compatible IPv6 addresses will match this prefix, all packets to those 
destinations can be auto-tunneled. 


The following diagram shows automatic tunneling. 


Figure 2-2 Automatic Tunneling 
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Router-to-Router and Router-to-Host Automatic Tunneling 





Configured Tunneling 


In the Router-to-Router and Host-to-Router scenarios, the IPv6 packet is tunneled to a router. The 
tunnel end point is a router that must decapsulate the IPv6 packet and forward it to the destination. 
The end point of the tunnel is different from the destination, so the addresses of the IPv6 packet 
being tunneled do not provide the IPv4 address of the tunnel end point. The tunnel end point address 
must be determined from the configuration information on the node performing the tunneling, which 
is the reason this method is called configured tunneling. 


The tunnel end point address is determined from the configuration information in the encapsulating 
node. For each tunnel, the encapsulating node must store the tunnel end point address. When an 
IPv6 packet is transmitted over a tunnel, the tunnel end point address configured for that tunnel is 
used as the destination address for the encapsulating IPv4 header. 


The routing information on the encapsulating node determines which packets to tunnel. This is done 
via a routing table that directs packets based on the destination address using the prefix mask and 
match technique. 


The following diagram shows a configured tunnel. 
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Figure 2-3 Configured tunneling 
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2.2.2 Default Configured Tunnel 


Nodes that are connected to IPv4 routing infrastructures can use a configured tunnel to reach an 
IPv6 backbone. If the IPv4 address of the IPv6/IPv4 border router is known, a tunnel can be 
configured to that router. 


This tunnel can be configured as the default route. All IPv6 destination addresses match the route 
and could potentially traverse the tunnel. The tunnel end point address of such a default tunnel could 
be the IPv4 address of the IPv6/IPv4 border router. Novell uses a default configured tunnel to reach 
the IPv6/IPv4 border router. 


2.3 Testing Your Setup with 6Bone 


6Bone is a logical test IPv6 network, overlaid on the IPv4 Internet. 


It is an independent outgrowth of the IPv6 project, resulting from an informal collaboration between 
the U.S., Japan, and Europe. You can join the network and use it to test your setup. 


The following diagram shows the 6Bone network. 


Figure 2-4 The 6Bone Network 





Globally addressable IPv6 has a three-level hierarchy that includes the following: 


+ A public topology (the 48-bit external routing prefix) 
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+ A site topology (typically a 16-bit subnet number) 


+ An Interface Identifier (usually an automatically generated 64-bit number unique on at least the 
local LAN segment) 


The public topology has two or more levels of hierarchy, specifying the Top Level Aggregator 
(typically a high-level ISP), Next Level Aggregators (zero or more mid-level ISPs), and a final Next 
Level Aggregator (which is the end user site). The end user sites get their address prefixes from an 
ISP that provides their IPv6 service. 


To join 6Bone, you get a 48-bit IPv6 external routing prefix from an existing pTLA (pseudo-Top 
Level Aggregator) 6Bone ISP. 


To do this, you use the registry database to identify a suitable pTLA, then contact one of the listed 
registry contacts through e-mail. 


Xou'll receive an end point address and an IPv6 format prefix, which you should enter in to the 
centralized registry database. You can then use the 6Bone network to test your setup for 
functionality and interoperability. 


Transitioning from IPv4 to IPv6 19 
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Setting Up Novell IPv6 


This section covers the basics of how to install required files and set up the Novell® IPv6 protocol. 
After IPv6 is set up, the transmission of packets through IPv4 and IPv6 depends on the address type 
specified in the packets. The following setup and configuration requirements are discussed here: 

¢ Section 3.1, “Required NLM Files,” on page 21 

¢ Section 3.2, “IPv6 Files on a NetWare Server,” on page 21 

¢ Section 3.3, “Installing Novell IPv6,” on page 23 

+ Section 3.4, “Utilities That Can Use Novell IPv6,” on page 23 

+ Section 3.5, “Novell IPv6 Configuration,” on page 26 

+ Section 3.6, “Novell IPv6 Commands,” on page 31 


¢ Section 3.7, “Uninstalling Novell IPv6,” on page 36 


3.1 Required NLM Files 


The following core NetWare® Loadable Module™ (NLM™) files used by the Novell IPv6 stack 
should be copied to the sys: system directory: 

+ bsdsock.nlm: NLM for socket libraries 

+ ipv6.nlm: IPv6 core NLM 

¢ netlib.nlm: NLM housing utility function for scheduler address libraries, etc. 

+ resolv.nlm: NLM used for DNS libraries 

+ static6.nlm: Static routing NLM 

¢ tcp.nlm: TCP modified to support IPv6 end points 

e tcpip.nlm: IPv4 NLM for setting up tunnels 

e rip6.nlm: NLM for dynamic routing 


3.2 IPv6 Files on a NetWare Server 


After the NetWare server is installed, the IPv6-related NLM files are available for IPv6 setup and 
configuration. Other required NLM files—such as tcp.nlm, tcpip.nim, bsdsock.nlm, and 
net lib.nimare already be loaded when the server comes up. The following sections list the 
directory structures for the IPv6-related files on the NetWare server: 

¢ Section 3.2.1, “Sys:\research\ipv6,” on page 22 

¢ Section 3.2.2, “Sys:\research\ipv6\apache,” on page 22 

¢ Section 3.2.3, “Sys:\research\ipv6\ftp,” on page 22 

+ Section 3.2.4, “Sys:\research\ipv6\nls\4,” on page 22 

€ Section 3.2.5, “Sys:\research\ipv6\nls\9,” on page 22 

¢ Section 3.2.6, “Sys:\research\ipv6\nls\12,” on page 22 

¢ Section 3.2.7, “Sys:\research\ipv6\ping6,” on page 23 
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3.2.1 Sys:\research\ipv6 


The following files are available at this location: 


+ gw6 

+ ip6.cfg 

* ip6.ncf 

+ ipvé.nlm 

9 resolv.nlm 
€ rtadvd.cfg 
* static6.nlm 
9 uipé.ncf 


9 RIPng.nlm 


3.2.2 Sys:\research\ipv6\apache 


All the Apache-related NLM files are available at this location. 


3.2.3 Sys:\research\ipv6\ftp 


The following files are available at this location: 


+ nwftpd6.msg 
* nwftpd6.nlm 
3.2.4 Sys:\research\ipv6\nls\4 


The following files are message files for English: 


€ ipv6.msg 
* static6.msg 
3.2.5 Sys:\research\ipv6\nls\9 


The following files are message files for Japanese: 


+ ipvé.msg 


* static6.msg 


3.2.6 Sys:\research\ipv6\nls\12 


The following files are message files for Portuguese: 


+ ipvé.msg 


+è static6.msg 
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3.2.7 Sys:\research\ipv6\ping6 


The following file is available at this location: 


+ 


ping6.nlm 


3.3 Installing Novell IPv6 


You can install Novell IPv6 using one of the following methods: 


+ 


+ 


Section 3.3.1, “Manual Installation,” on page 23 


Section 3.3.2, “Auto Installation Using Scripts,” on page 23 


3.3.1 Manual Installation 


1 Copy the ipv6.nlm, static6.nlm, and resolv.nlm files from sys:\research\ipv6 to sys:\system. 


Copy the ip6.cfg, rtadvd.cfg, and gw6 files from sys:\research\ipv6 to sys:\etc. 


These are sample files. Appropriately modify information like board name, addresses required, 
etc. 


Copy the ip6.msg and static6.msg files from sys:\research\ipv6\nls\number to 
sys:\system\nls\number. 


Replace number with 4, 9, or 12. These are the message files for English, Japanese, and 
Portuguese, respectively. 


Copy the ip6.ncf and uip6.ncf files from sys:\research\ipv6 to sys:\system. 
Run ip6.ncf at the command prompt. 


The IPv6 stack is now installed and ready to use. 


3.3.2 Auto Installation Using Scripts 


1 


2 


Enter perl sys:lresearchlipv6linstall.pl at the server console. 
The IPv6-related files are copied into the system directory. 

Enter ip6.ncf at the server console. 

All the IPv6-related NLM programs are loaded. 


3.4 Utilities That Can Use Novell IPv6 


This section discusses the utilities that can use IPv6 and the manner in which thev can be used: 


+ 


+ 


+ 


+ 


Section 3.4.1, “Apache2,” on page 24 
Section 3.4.2, “FTP6,” on page 24 
Section 3.4.3, “IPTrace6,” on page 25 
Section 3.4.4, “PING6,” on page 25 
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3.4.1 Apache2 


e “Server Side” on page 24 


e “Client Side (Browser)” on page 24 


Server Side 
1 Copy the WinSock NLM files from the sys:\research\ipv6\winsock directory to the c:\nwserver 
directory. 


2 Copy the folders and nlm files from the sys:\research\ipv6\apache2 directory to the 
sys:\apache?2 directory. 


3 Load ipv6.nlm. 
4 Load resolv.nim. 


5 Load sys: \apache2\apache2.nlm. 


This starts the Apache Server. 


Client Side (Browser) 


This information is specific to the Internet Explorer* (IE) on the Windows* XP platform. It can also 
apply to Support Patch for IPv6 for Windows 2000 nodes. 


The default browser (IE) that comes with Windows XP does not support literal IPv6 strings as 
addresses. Therefore, you cannot use the address directly in the browser as http://[3ffe::1]. You must 
use DNS names for the address. 

1 Disable the proxy in your Browser. 


In IE, click Tools > Internet Options > Connections > LAN Settings, then deselect the Use a 
proxy server for your LAN check box.This must be done in case the DNS query is directed to 
the proxy, which might not have IPv6 support. 


2 Verify the DNS entry. 


+ If you have a DNS server supporting IPv6 Name-to-Address resolution, you can depend 
on that for resolution of the query. 


+ Otherwise, you can configure the DNS name in the c:\windows\system32\drivers\etc\hosts 
file, similar to the format used for IPv4. For example: 


3ffe::1 ipv6 host 


Http://ipv6 host then connects to the Apache Server. 


3.4.2 FTP6 


1 Copy the nwftpd6.nlm file from the sys:\research\ipv6\ftp directory to the sys:\system 
directory. 


2 Copy the nwftpd6.msg file from the sys:\research\ipv6\ftp directory to the sys:\system\nls\4 
directory. 


3 In order to use IPv6-enabled FTP Server (nwftpdé.n1m), make sure to unload the IPv4 version 
in the system (unload nwftpd.nlm). 


4 Run nwftpd6.nlm. 
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It autoloads ftpif.nlm. 


5 Enter nwftpd6 -a at the server console to create an anonymous user for FTP access. 


Nwftpd6.nlm binds to all the interfaces in the system. 


3.4.3 IPTrace6 


IPTrace6 is a debugging tool used to trace the path taken by the packet from the source host to reach 
the destination host. It lists the IPv6 addresses of the intermediate routers that have been traversed to 
reach the destination. It uses the ICMPv6 error messages to achieve the same thing. 


You can locate IPTrace6 in sys:\research\ipv6\tools\iptrace6.nlm. 
Enter the following command to use the IPTrace6 feature: 


IPTrace6 destination [Hops=max_hops] [StartHop=starting ttl] [Wait = 
max wait time) [Port=destination_port] [Pkt = number of packets_for_each_hop] 


Parameters for IPTrace6 
+ Hops: Specifies the maximum number of hops that will be made before IPTrace6 stops 
searching. Default — 30. 


¢ StartHop: Specifies the initial value of the time-to-live (ttl) in the outgoing packet. For 
example, if there are three hops to the destination and the StartHop is specified as 2, the 
IPTrace6 display skips the router at the first hop and starts from the second one. Default = 1. 


+ Wait: Specifies the time (in seconds) to wait for the response (ICMPv6 Time Exceeded) to a 
probe. If no reply is received within this time, an asterisk (*) is displayed. Default = 5. 


¢ Port specifies the UDP port number that the IPTrace6 packets are sent to. It should be greater 
than 6000. Default = 40001. 


¢ Pkt specifies the number of packets sent with the same ttl value. Default = 3. 
Some examples of using IPTrace6: 
IPTrace6 www.novell.com 


IPTrace6 www.novell.com Starthop=3 Pkt=4 


3.4.4 PING6 


1 Copy the ping6.nlm file from the sys:\research\ipv6\ping6 directory to the sys:\system 
directory. 


2 Run ping6.nlm to test the communication between any two nodes. 





TIP: Just entering ping6 without any options opens the Help screen. 
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3.5 Novell IPv6 Configuration 


You can configure the IPv6 stack by modifying the default ip6.cfg file found under sys:\etc. You can 
also use the rtadvd.cfg file in conjunction with the ip6.cfg file to make the node function as an 
advertising interface. This section describes the formats for the following configuration files: 


+ Section 3.5.1, “Ip6.cfg File,” on page 26 
¢ Section 3.5.2, “Rtadvd.cfg File,” on page 28 


3.5.1 Ip6.cfg File 


The configuration of the IPv6 stack is possible through the ip6.cfg file, which is placed under 
sys:\etc. To configure the IPv6 stack, modify the default file provided with the stack. 


e “Configuration File Format” on page 26 
e “Example Configuration File” on page 26 
+ “Field Level Description with Default Values” on page 27 


Configuration File Format 


[Interface All] 














Router Yes | No 

Autotunnel Yes | No 

6to4 Yes | No 

[Interface Interface name] 

Addr v6 address 128 bit 

Prefixlen Prefix length of Addr 

mtu MTU for this interface 

rsdelav Router solicitation delav in seconds 

rsinterval Delav between the router solicitation in seconds 
rstransmits Number of router solicitations transmitted 
autoconf Yes | No 

acceptra Yes | No 

acceptredirect Yes | No 

hoplimit Hop limit to be specified in the outgoing packet 
delavFirstProbeTime Neighbor discoverv parameter 

baseReachableTim Neighbor discoverv parameter 

retransTime Delav between successive neighbor solicitations 
sendRedirect Yes | No 

DadTransmits Li. =-3] 


Example Configuration File 


[Interface All] 








Router Yes 

Autotunnel No 

6to4 No 

[Interface CE100B 1 EIT] 

Addr 3ffe:501:ffff:100::1 
Prefixlen 64 

mtu 1280 

rsdelay l 

rsinterval 4 

rstransmits 3 
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autoconf 
acceptra 
acceptredirect 
hoplimit 


delavFirstProbeTime 5 


baseReachableTim 





retransTime 
sendRedirect 
DadTransmits 


Field Level Description with Default Values 


Table 3-1 For the Common Interface Record 


Field Name 
Router 
Autotunnel 


6to4 


Description 
Router/Host functionality 
Autotunnel enable/disable 


6to4 tunnel enable/disable 


Table 3-2 For the Interface-Specific Record 


Field Name 


Addr 
Prefix Len 


mtu 


Rsdelay 
Rsinterval 


Rstransmits 


Autoconf 


Acceptra 


Acceptredirect 


Hoplimit 
DelayFirstProbeTime 


BaseReachableTime 


RetransTime 


Description 


Corresponding IPV6 address 
Prefix length of the address 
MTU of the interface 


Router solicitation delay (in seconds) 
Router solicitation interval (in seconds) 


Number of times router solicitation is 
transmitted 


Indicates if autoconfiguration should be 
performed on the interface (yes/no) 


Indicates if router advertisements should 
be accepted on this interface (yes/no) 


Indicates if redirects should be accepted 
on this interface (yes/no) 


Hop limit filled in the outgoing packets 
Time (in seconds) to wait in Delay state 


Neighbor discovery parameter (in 
seconds) 


Time (in seconds) between successive 
neighbor solicitations 


Default Value 
No (Host) 

No (disable) 
No (disable) 


Default Value 
None 
None 


MaxReceiveSize of the 
corresponding driver 


1 
4 
3 


30 


1 
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Field Name Description Default Value 


SendRedirect Indicates if redirects should be sent on Yes 
this interface (yes/no) 


DadTransmits Number of consecutive neighbor 3 
solicitation messages sent while 
performing Duplicate Address Detection 
on a tentative address 


3.5.2 Rtadvd.cfg File 


You can use the rtadvd.cfg file in conjunction with the ip6.cfg file to make the node function as an 
advertising interface. For the values in the rtadvd.cfg file to take effect, you need to set the Router 
field to Yes in the ip6.cfg file. Refer to “Configuration File Format” on page 26. 


Configuration File Format 

e “Router Advertisement” on page 28 

e “Prefix List” on page 28 

e “Example Configuration File” on page 29 
Router Advertisement 


You need to set the following file formats to configure router advertisement (interface specific): 





[Interface Interface_name] 





RASendAdvertisements Yes | No 

RAMaxInterval [4 — 1800] 

RAMinInterval [3 - 0.75 * RAMaxInterval] seconds 
RAManagedFlag Yes | No 

RAOtherConfigFlag Yes | No 

RALinkMTU [0 — LinkMTU] 

RAReachableTime [0 - 3,600,000] 

RARetransTimer Retransmit time in milliseconds 
RACurHopLimit Hop_limit 

RADefaultLifeTime [0 | MaxRtrAdvinterval - 9000] 





NOTE: This record can occur only once for an interface. 





Prefix List 


You need to set the following file formats to configure the Prefix list to be advertised for each 
interface: 


[RAPrefixListlf Interface name] 
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Prefix Prefix to be advertised 




















PrefixLen [64 - 128] 

RAValidLifeTime Valid life time of the Prefix in seconds 
RAPreferredLifeTim Preferred life time of the Prefix in seconds 
RAAutonomousFlag Yes | No 

RAOnLinkFlag Yes | No 

RAReal Fixed TimeFlag Real | Fixed 





NOTE: This record can occur multiple times for an interface, depending on the number of prefixes 
that are to be advertised. 





Example Configuration File 


[Interface DLKRTS EIT ] 








RASendAdvertisements Yes 
RAMaxInterval 20 
RAMinInterval 3 
RAManagedFlag Yes 
RAOtherConfigFlag Yes 
RALinkMTU 0 
RAReachableTime 200 
RARetransTimer 3 
RACurHopLimit 255 
RADefaultLifeTime 1800 





IRAPrefixListIf DLKRTS EIT] 


























Prefix 3ffe:dad::0 
PrefixLen 64 
RAValidLifeTime 300 
RAPreferredLifeTim 250 
RAAutonomousFlag Ves 
RAOnLinkFlag No 

RAReal Fixed TimeFlag Real 
[RAPrefixListIf DLKRTS EIT] 

Prefix 3ffe: FEED: :0 
PrefixLen 64 
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RAValidLifeTime 


RAPreferredLifeTim 





RAAutonomousFlag 


RAOnLinkFlag 





RAReal Fixed TimeFlag 


50 


30 


Yes 


No 


Fixed 


Field Level Description with Default Values 


Table 3-3 For the Router Advertisement Record 


Field name 


RASendAdvertisements 


RAMaxinterval 


RAMininterval 


RAManagedFlag 


RAOtherConfigFlag 


RALinkMTU 


RAReachableTime 


RARetransTimer 


Description 


Router advertisement enable/disable. 


The maximum time (in seconds) allowed 
between unsolicited multicast router 
advertisements transmitted from the interface. 


The minimum time (in seconds) allowed 
between unsolicited multicast router 
advertisements transmitted from the interface. 


The value to be placed in the 
Managedaddress Configuration flag field in the 
router advertisement. Specifies whether hosts 
should use stateful autoconfiguration to obtain 
addresses. 


The value to be placed in the Other Stateful 
Configuration flag field in the router 
advertisement. Indicates whether hosts should 
use statefulautoconfiguration to obtain 
additional information (excluding addresses). 


The value to be placed in MTU options sent bv 
the router. A value of O (zero) indicates that no 
MTU options are sent. 


The value to be placed in the Reachable Time 
field in the router advertisement messages 
sent by the router. A value of zero means 
unspecified (by this router). This denotes the 
time (in milliseconds) that a node assumes a 
neighbor is reachable after having received a 
reachability confirmation. 


The value to be placed in the Retrans Timer 
field in the router advertisement messages 
sent by the router. A value of 0 (zero) means 
unspecified (by this router). This denotes the 
time (in milliseconds) between retransmitted 
neighbor solicitation messages. 
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Default Value 


No (disabled) 


600 


198 


No 


No 


Field name Description Default Value 


RACurHopLimit The value to be placed in the Cur Hop Limit 255 
field in the router advertisement messages 
sent by the router. The value should be set to 
the current diameter of the Internet. A value of 
0 (zero) means unspecified (by this router). 


RADefaultLife Time The time value (in seconds) to be placed in the 1800 
Router Lifetime field of router advertisements 
sent from the interface. A Lifetime of 0 (zero) 
indicates that the router is not a default router. 
The Router lifetime applies only to the router's 
usefulness as a default router. 


Table 3-4 For the Prefix Description Record 


Field name Description Default Value 


Prefix The prefix to be placed in Prefix Information None 
options in router advertisement messages 
sent from the interface. 


PrefixLen Prefix length. 64 


RAValidLife Time The length of time in seconds that the prefixis 2592000 
valid for the purpose of onlink determination. 


RAPreferredLife Time The length of time (in seconds) that addresses 604800 
generated from the prefix via stateless 
address autoconfiguration remain preferred. 


RAAutonomousFlag Indicates whether this prefix can be used for Yes 
autonomous address configuration 


RAOnLinkFlag Indicates whether this prefix can be used for Yes 
onlink determination 


RAReal_Fixed_TimeFlag Indicates whether the lifetimes specified Fixed 
decrements in real time or remains as a fixed 
time that stays the same in consecutive 
advertisements 


3.6 Novell IPv6 Commands 


This section explains the commands that can be used to set up the Novell IPv6 stack. 


+ Section 3.6.1, “Interface - Related Commands,” on page 32 
¢ Section 3.6.2, “Routing Commands,” on page 32 
+ Section 3.6.3, “Tunnel Commands,” on page 33 


+ Section 3.6.4, “General Commands,” on page 34 
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3.6.1 Interface - Related Commands 


This section covers the following: 


+ “Bind Protocol” on page 32 
e “IP6 Configuration Display” on page 32 
+ “Unbind Protocol” on page 32 


Bind Protocol 


Syntax bind protocol name board name addr address len prefixlen 
Description: Binds a communication protocol to a network board. 
Example: bind ip6 ce 100b 


bind ip6 ce 100b addr 3ffe::1 len 64 


IP6 Configuration Displav 


Svntax ip6config 

Description: Displays the board configuration, which includes all types of IPv6 addresses 
configured to various boards and the corresponding preferred and valid 
lifetimes. 

Example: ip6contig 


Unbind Protocol 


Syntax: unbind rt6add protocol_name board_name 
Description: Unbinds a communication protocol from a board 
Example: unbind ip6 ce 100b 


3.6.2 Routing Commands 


This section covers the following: 


¢ “Forwarding Capability Status Display” on page 32 
e “Route Addition” on page 33 
e “Route Deletion” on page 33 


¢ “Routing Table Display” on page 33 


Forwarding Capability Status Display 


Syntax ip6router 


Description: Displays the current status. 
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Example: 


Route Addition 


Svntax 


Description: 


Example: 


Route Deletion 


Syntax 


Description: 


Example: 


Displays the current status as 'IP6Forwarding is ON"/ "IP6Forwarding is 
OFF" 


Rt6add /P6_Destination_Prefix Gateway Address 'Volinterface Name 
Prefix_Length 


Adds an IPv6 Route to the IPv6 Routing Table. The Interface Name uses 
the default. Does not need to be specified for a global address. 


Rt6add 3ffe:88::1234 fe80::8%CE100_1_Ell 64 
Rt6add 3ffd:: 3ffe:88::1234 64 


To add a default route, give the unspecified address (::) as the 
IPv6Destination Prefix and the prefix length as 0 (zero). For example: 


rt6add:: fe80::9%CE100B_1_Ell 0 


Rt6add /P6_Destination_Prefix Yointerface_Name Prefix Length 


Deletes an IPv6 Route from the IPv6 Routing Table. The interface name 
uses the default. Does not need to be specified for a global address. 


Rt6del fe80::8%CE100B_1_Ell 64 
Rt6add 3ffe:88::1234 64 
To delete a default router: 


rt6del :: 0 


Routing Table Display 


Syntax 
Description: 


Example: 


Rt6Table 
Displays the Routing Table. 
rt6table 


3.6.3 Tunnel Commands 


This section covers the following: 


e “Configured Tunnel Creation” on page 34 


€ “Configured Tunnel Deletion” on page 34 


+ “Configured Tunnel Information Display” on page 34 


+ “Current Automatic Tunneling Status Display” on page 34 
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Configured Tunnel Creation 


Svntax tun6bind tunnelname local IPv6 address remote IPv6 address 
local IPv4 address remote IPv4 address 


Description: Creates one end of a tunnel. 


Example: tun6bind test-tunnel 3ffe::1 3ffe::2 172.16.1.1 172.16.1.10 


Configured Tunnel Deletion 


Syntax tun6unbind tunnelname 
Description: Deletes a tunnel. 
Example: tun6unbind test-tunnel 


Configured Tunnel Information Display 


Syntax Tun6List -t tunnel name 


Tun6 List -n number of tunnels to displav at a time 





Description: Displavs the bound tunnels and the tunnel information. 
Example: Tun6List (Displays all the bound tunnels one by one) 
Tun6 List -t test-tunnel (Displays details of test-tunnel alone) 


Tun6List -n 5 (Displays tunnel info five at a time) 


Current Automatic Tunneling Status Display 


Syntax ip6autotunnel 


Description: Displays the status of Automatic Tunneling capability as "Auto 
Tunneling is ON" or "Auto Tunneling is OFF". Set this feature to On (in 
the ip6.cfg file) to automatically create corresponding compatible 
addresses for all the bound IPv4 addresses, thereby enabling the use 
of automatic tunneling with these addresses. 


Set this feature to Off (in the ip6.cfg file) to automatically unbind all the 
compatible addresses created. 


Default = On. 


Example: ipGautotunnel 


3.6.4 General Commands 


¢ “Default Router List Display” on page 35 
¢ “Destination Cache Display” on page 35 
e “Destination Cache Flush” on page 35 
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+ “Neighbor Cache Display” on page 35 

+ “Neighbor Cache Entry Deletion” on page 35 
+ “Neighbor Cache Flush” on page 35 

¢ “Prefix List Display” on page 35 


Default Router List Display 


Syntax dfr6list 


Description: Displays the information about the default routers learned dynamically. 


Destination Cache Display 


Syntax dc6list 


Description: Lists of destination cache Entries. 


Destination Cache Flush 


Syntax dc6flush 


Description: Flushes the destination cache of the system. 


Neighbor Cache Display 


Syntax nc6list 


Description: Displays the neighbor cache entries. 


Neighbor Cache Entry Deletion 


Syntax nc6del /P6Address Board_Name 
Description: Deletes the neighbor cache entry for the specified neighbor of the specified 
interface. 


Neighbor Cache Flush 


Syntax nc6flush 


Description: Flushes the neighbor cache entries of the system. 


Prefix List Display 


Syntax pf6list 
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Description: Displavs the prefix information learned from routers. 


3.7 Uninstalling Novell IPv6 


1 Enter uip6.ncf at the server console. 
The IPv6-related NLM programs are unloaded. 
2 Enter perl sys:\research\ipv6\uinstall.p1 at the server console. 


All the IPv6-related files are removed from the system directory. 
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Configuring a Secure Channel 
using IPv6 


+ Section 4.1, “Using IPsec to configure a secure channel,” on page 37 


¢ Section 4.2, “Multiprocessing and IPv6,” on page 40 


4.1 Using IPsec to configure a secure channel 


The IPsec component provides the capability of establishing an end-to-end channel between two 
hosts. IPv6 supports only transport mode IPsec connections. Secure connections have the following 
properties: 


+ Authentication: The IPv6 extension header type 51 (AH - Authentication Header) provides 
authenticity and integrity to IP datagrams exchanged among communication end points. 


+ Encryption: The IPv6 extension header type 52 (ESP - Encapsulating Security Payload) 
provides confidentiality and integrity to IP datagrams exchanged among communication end 
points. 


In short, AH adds authentication, and ESP adds encryption to ensure that the communication is with 
the right peer and that it is secure. In a Novell® IPv6 stack, you can configure AH alone or AH and 
ESP together. ESP provides both Authentication and Encryption features. 


The following configurations are possible while providing secure end-to-end connections: 


+ Authentication 
¢ Encryption and authentication through ESP 
¢ Authentication through ESP 


Table 4-1 Configurable Parameters for AH and ESP 


Configuration Settings Property Description and Usage 


AH + hmac96-sha Specifies the type of service 
+ hmac96-md5 required in authentication. 


Authenticating algorithms. 
Either can be used. 


ESP + V2-3des-cbc Specifies the type of service 
€ V2-des-cbc required for encryption. 


Encryption algorithms. 
Either can be used. 


INJOUT Packet Specifies the service required for 
inbound or outbound connections. 


Incoming or Outgoing. 
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Configuration Settings Propertv Description and Usage 


Source and destination address Identifier Specifies the source and 
destination address of the end-to- 
end hosts where authentication or 
encryption is required. 


Security Parameter Index(SPI) Index Specifies the index of the securitv 
association specified at the other 
end of a secure connection. 


hmac96-md5 64 bvte kev Shared Secret 64 byte value for 
authentication at both the ends 
which can be either hmac96-md5 or 
hmac96-sha. 


Random number. 


hmac96-sha 64 byte key Shared Secret 64 byte value for 
authentication at both the ends 
which can be either hmac96-md5 or 
hmac96-sha. 


Random number. 

DES-CBC key 16 byte key The 16 byte key for encryption. 
Random number. 

3DES-CBC key 48 byte key The 48 byte key for encryption. 


Random number. 


Table 4-2 Parameter Settings for IPsec 


Configuration Setting Property Description and Usage 
Set enable IPsec6 for IPv6 =on Switch to enable IPsec6. 
Set enable IPsec6 logging =on Switch to enable logging. 


4.1.1 Configuring an End-to-End Secure Connection with AH 


1 Configure the secure connection by modifying the ipseckev.cfg file. For the configuration to 
take effect this file should be manually copied to the sys:\system folder. 


The configuration settings of the file must be in following manner: 
AH in SPI Source address Destination address Authentication type key 
A typical end-to-end inbound AH configuration might look as follows: 


AH in 0x10001 3ffe::1 3ffe::2 hmac96-sha 
414141414141414141414141414141414141414141414141AH out 0x20002 3ffa::2 
3ffa::1 hmac96sha 414141414141414141414141414141414141414141414141 


This specifies that all incoming traffic coming on 3ffe::1 from destination 3ffe::2 needs to be 
authenticated using hmac96-sha with secret 4141---41(64byte). The SPI id is 0x10001.The 
outgoing traffic on 3ffa::1 to destination 3ffa::2 needs to contain AH using hmac96-sha using 
secret 4141---41(64byte). The SPI id is 0x20001. 
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The SPI value of the outgoing connection must be the SPI value of the incoming connection 
and vice versa. 


2 Configure ipseckey.cfg at the other end as follows: 


AH in 0x20002 3ffa::2 3ffa::1 hmac96-sha 
414141414141414141414141414141414141414141414141AH out 0x10001 3ffa::1 
3ffa::2 hmac96sha 414141414141414141414141414141414141414141414141 





NOTE: The SPI value of the outgoing connection must be the SPI value of the incoming 
connection and vice versa. 

3 Load IPv6 at both ends. 

4 To enable IPsec, set Enable IPsec6 for IPv6 to On. 

5 To track statistics and get help with troubleshooting, set Enable IPsec6 logging to On. 


Any packets going from 3ffa::1 to 3ffa::2 are authenticated by using hmac96-sha with secret 
configured in the file. 


4.1.2 Configuring and End-to-End Secure Connection by using 
ESP 


1 Configure the secure connection by modifying the ipseckey.cfg file. For the configuration to 
take effect this file should be manually copied to the sys: system folder. 


The configuration settings of the file must be in following manner: 
AH in SPI Source address Destination address Authentication type key 
A typical end-to-end inbound AH configuration might look as follows: 


ESP in 0x10001 3ffe::1 3ffe::2 v2-3des-cbc 41414141414141414111111hmac96- 
md5 414141414141ESP out 0x20001 3ffa::2 3ffa::1 v2-3des-cbc 
41414141414141414141441hmac96-md5 414141414141 








This indicates incoming traffic on 3ffe::1 from destination 3ffe::2 needs to be authenticated 
using hmac96-md5 using secret 4141---41(64byte) and decrypted using 3DES using 
4141414(48byte). The SPI id is 0x10001. 


The outgoing traffic on 3ffa:: 1 to destination 3ffa::2 must contain AH using hmac96-md5 using 
secret 4141---41(64byte) and encrypted using 3DES. The SPI id is 0x20001. 





NOTE: The SPI value of the outgoing connection must be the SPI value of the incoming 
connection and vice versa. 





2 Configure ipseckey.cfg at the other end as follows: 


ESP in 0x20001 3ffa::2 3ffa::1 v2-3des-cbc 41414141414141414111111hmac96- 
md5 414141414141ESP out 0x10001 3ffa::1 3ffa::2 v2-3des-cbc 
41414141414141414141441hmac96-md5 414141414141 











NOTE: The SPI value of the outgoing connection must be the SPI value of the incoming 
connection and vice versa. 





3 Load IPv6 at both the ends. 
4 To enable IPsec, set Enable IPsec6 for IPv6 to On. 
5 To track statistics and get help with troubleshooting, set Enable IPsec6 logging to On 


Configuring a Secure Channel using IPv6 


IPsec logging can be enabled for the following purposes: 
+ Connections made and broken. 


+ Reasons for authentication and encryption failures and the possible reasons are replay 
attacks and invalid SA because of invalid SP1 configurations.: 


Any packets going from 3ffa:2 are authenticated and encrypted by using hmac96-md5 and 
3DES-CBC with secret or key configured in the file. 


4.2 Multiprocessing and IPv6 


The IPv6 stack for NetWare®6.5 SP3 is multiprocessor enabled. 
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Configuring RIPng for IPv6 


RIPng is a dynamic routing protocol for IPv6. The routing procedure is same as for IPv4 except for 
128-bit addressing. Unlike IPv6, RIP for IPv6 is a separate NLM™ and can be loaded if required. 


The configuration entries for rip6.n1m must be entered in /etc/ip6.cfg in a separate block. 


Table 5-1 Configurable Parameters for RIPng 


Configuration Settings 


[ RIP interface name] 


Status 


Cost 


poisonreverse 


splithorizon 


Property 


RIP configured on an interface 


RIP enabled on the interface 


Cost of the interface to reach the 
other end 


As per RFC2080 


As per RFC2080 


Description and Usage 


[RIP CE1000B]- Required 
parameter 


Yes = Enable 
No = Disable. 
Required parameter. 


Range 1 to 16. Dependent on the 
administrator's configuration. 


Optional parameter. 
Yes = Enable. 
No = Disable. 
Yes = Enable. 


No = Disable. 


A typical configuration for RIPng enabled on CE1000B interface with split horizon enabled and 
poison reverse disabled might look like the following: 





[RIP CE1000B] 
status Yes 
cost 2 
poisonreverse No 
splithorizon Yes 


Configuring RIPng for IPv6 
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Using Novell IPv6 in Your Network 


The following sections provide details on how to use the Novell® IPv6 stack to set up tunneling 
within the corporate network between the IPv6 groups, as well as how to connect to 6Bone in order 
to experience the virtual global IPv6 network. 


¢ Section 6.1, “Setting Up Tunneling,” on page 43 
¢ Section 6.2, “Configuring 6to4 Tunnels,” on page 44 
€ Section 6.3, “Using Novell IPv6 to Connect to 6Bone,” on page 44 


6.1 Setting Up Tunneling 


You can use automatic or configured tunneling to set up your own IPv6 tunnel. 





NOTE: In the following procedure, Host 1 and Host 2 belong to two different IPv6 networks. 
Router | and Router 2 are the two edge routers, which are dual stacks to interconnect the IPv6 and 
IPv4 networks. It is assumed that both Router 1 and Router 2 are NetWare nodes. 





¢ Section 6.1.1, “Using Configured Tunneling,” on page 43 


¢ Section 6.1.2, “Using Automatic Tunneling,” on page 43 


6.1.1 Using Configured Tunneling 


1 Make sure the IPv6 stack is loaded on both sides. 


2 Configure one side of the tunnel to set up Router 1 by entering the following at the server 
console: 


Tun6bind test-tunnel 3ffe::1 3ffe::2 172.16.1.1. 172.16.1.2 


3 Configure the other side of the tunnel to set up Router 2 by entering the following at the server 
console: 


Tun6bind test-tunnel 3ffe::2 3ffe::1 172.16.1.2 172.16.1.1 
The tunnel names do not to be the same on both sides. 

4 Test the connectivity by pinging across the tunnel. 
For example, on Router 1 enter 


Ping6 3ffe::2 


6.1.2 Using Automatic Tunneling 


Unlike configured tunneling, vou do not need to explicitlv set up an automatic tunnel. 





NOTE: The following procedure sets up automatic tunneling between Host 1 and Host 2. 





1 Make sure the IPv6 stack is loaded on both nodes. 
2 Make sure the IPv6 Auto Tunnel feature is set to on for both nodes. 
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3 Test the connectivity by pinging across the tunnel. 
For example, enter 


to::172.16.1.2 from Host 1 and ::172.16.1.1 from H2. 


6.2 Configuring 6to4 Tunnels 


You can use the 6to4 tunneling technique to enable the host to encapsulate the IPv6 traffic in the 
IPv4 header and send over the IPv4 Internetwork (Internet). This is one of the mechanisms used to 
ease the transition of networks from IPv4 to IPv6. 


The 6to4 feature is set to No by default. To enable it, set the 6to4 parameter to Yes in the ip6.cfg file 
under sys:\etc. 


[Interface All] 
6to4 Yes 


This enables the machine as a 6to4 host. A 6to4 pseudo-interface is created with an IPv6 address of 
2002:AABB:CCDD::AABB:CCDD, where AABB:CCDD is the colon-hexadecimal representation 
of the IPv4 address a.b.c.d assigned to the node. You can now send and receive 6to4 traffic over this 
machine. However, you need to ensure that the machine has a public IPv4 Internet address. Private 
addresses like 192.168.x.x or 10.x.x.x, 172.16/12, auto-conf addresses 169.254.x.x, and loopback 
addresses 127.x.x.x are ignored. 


You can configure a 6to4 node as a 6to4 router. The 6to4 router encapsulates the IPv6 packets 
received from the private interface into IPv4 packets before forwarding them on the public interface. 
For example, if you have only IPv6 nodes in your network or nodes that have IPv4 private 
addresses, this prevents the host from using the 6to4 feature directly. Therefore, the host can acquire 
the 6to4 prefix from the 6to4 router (which has a public IPv4 address and is connected to the IPv4 
Internet) and configure IPv6 addresses. The host can then forward its IPv6 traffic to the 6to4 router 
that takes care of the tunneling. 


To configure a 6to4 router: 


1 Enable forwarding on the node. 


Refer to the Router variable in the Interface All record under “Configuration File Format” on 
page 26. 


2 Configure the rtadvd.cfg file to advertise the 6to4 prefix (2002: AABB:CCDD::/48) to the IPv6 
nodes on the private interface. 


Refer to “Rtadvd.cfg File” on page 28. 


3 Configure the rtadvd.cfg file to advertise itself as the default router by setting the 
RADefaultLifeTime to a nonzero value. 


Refer to “Configuration File Format” on page 28. 


6.3 Using Novell IPv6 to Connect to 6Bone 


+ Section 6.3.1, “Getting an IPv6 Address Space,” on page 45 


+ Section 6.3.2, “Connecting to 6Bone,” on page 45 
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6.3.1 Getting an IPv6 Address Space 


The Telecom lab sets up new connections within the backbone to provide access to new leaf sites. 
The lab provides an IPv6 prefix that is a pTLA (pseudo-Top Level Aggregator) and a 6Bone 
connection. If you want to connect to 6Bone, you must fill in a registration form and agree on the 
IPv4/IPv6 addresses to be used on the two sides. When this is done, you can connect to 6Bone. 


6.3.2 Connecting to 6Bone 


In contrast to the classic IPv6-over-IPv4 tunnel setup, you do not register at a 6Bone gateway or get 
forwarded to any IPv6 traffic (encapsulated in IPv4). Because your IPv6 address is provided from a 
source that already has a 6Bone connection, the tunnel establishment and maintenance are done by a 
Tunnel Broker where you got the IPv6 address. 


Tunnel Broker is a mechanism to automatically manage tunnel requests coming from remote users. 
Standalone remote IPv6 users can register on a dedicated Web site, then obtain a script that will 
build an automatic tunnel to the IPv6 network. 


To send IPv6 packets, the host takes the IPv6 packet and encapsulates it into an IPv4 packet. You 
still need a 6Bone-connected gateway that will decapsulate your packets and forward them to 
6Bone. 


The following figure illustrates this. 


Figure 6-1 Connecting through Novell IPv6 





v4 internet 


Example 


Your private network is uplinked through an IPv4-connected PPP link to a 60ver4 gateway machine 
that is connected to 6Bone. 


To connect to 6Bone the following sequence of events must occur: 


1. Assume that 202.169.139.51 is your IPv4 address. 


2. After becoming a registered user in one of the organizations that provide this service, you 
provide the IPv4 address at your end. 


3. Within a few minutes you receive an e-mail containing all the details needed to connect to 
6Bone: 


Tunnel Information 





Server IPv4 address 163.162.170.170 


Server IPv6 address 3ffe:1001:0001:b000::2489 
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Tunnel Information 





Server IPv4 address 163.162.170.170 

Server IPv6 link local address Fe80::a3a2:aaaa 

Client IPv4 address 202.169.139.511 

Client IPv6 address 3ff2:1001:0001 :b000::2488 
Client IPv6 link local address Fe80::caa9:8b33 

Expire date Mon Aug 20 08:26:32 2003 


4. Enter the following command to start pinging to the remote IPv6 address with IPv6 loaded: 


Tun6bind tunnel name 3ff2:1001:0001:b000::2489 3ffe:1001:0001:b000::2489 
202.169.139.51 163.162.170.170 


If you are able to get the response from pinging, you know you are connected to 6Bone. 
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Frequently Asked Questions 


This section discusses the FAQs that users and system administrators might have while using 
Novell® IPv6. 


7.1 Novell IPv6-Related FAQs 


e “Route Addition Failed” on page 47 

+ “Unable to Ping” on page 48 

+ “Viewing All Addresses” on page 48 

+ “Viewing the Destination Cache” on page 48 

+ “Configured Addresses Not Visible” on page 48 

¢ “Support for Per-interface Hop Metrics” on page 48 

e “Record Name Mismatch” on page 48 

+ “Unable to Unload IPv6 nlms” on page 49 

+ “Pinging a Machine Using its IP4 and IPv6 Addresses” on page 49 
+ “Configuring the Global Address” on page 49 

+ “Unable to Bind IPv6 with a Driver” on page 49 

+ “Pinging by Using a IPv6 Machine” on page 49 

+ “Monitoring IPv6 Traffic” on page 49 

+ “Enabling Ip6router” on page 49 

+ “Unable to Ping6 an IPv6-enabled Machine” on page 49 
+ “Unbinding IPv6 From an Interface” on page 50 

+ “Disabling the IPv6 Stack” on page 50 

+ “Enabling the 6to4 Option” on page 50 

e “Viewing IPv6 Configuration Information” on page 50 
+ “Checking Whether IPv6 Is Running” on page 50 

+ “Transition Mechanism Support” on page 50 

+ “6to4 Relay” on page 51 

e “Time out of Ping6” on page 51 

+ “Autoconfiguration by Host” on page 51 


Route Addition Failed 


Problem: While adding a route using the server console, I encountered the following 
error message: 


Route Addition Failed 


Action: Check the following: 


+ Check if the source and destination addresses are in IPv6 format. 


Frequently Asked Questions 


47 


48 


+ Ifthe gateway is a link local address, check if the gateway is postfixed 
with a % symbol, followed by the interface name. 


+ Check ifthe gateway is reachable or if the routing table has a route to 
reach the gateway. 


Unable to Ping 
Problem: I could not get any response when I entered ping6 at the server console. 


Action: Check if the end nodes have a route to each other in the routing table. 


Viewing All Addresses 
Problem: How do I see the list of all addresses? 


Action: Enter ip6config at the server console. 


Viewing the Destination Cache 
Problem: How do I see the Destination Cache? 


Action: Enter dc6list at the server console. 


Configured Addresses Not Visible 


Problem: When I enter ip6config at the server console, some of the configured 
addresses are suddenly not visible. 


Possible Cause: The lifetime advertised for the corresponding prefix by the router is very short. 
Action: Do the following: 
1 Enter pf6list at the server console. 
A list of prefixes and their corresponding lifetimes is displayed. 


2 In the rtadvd.cfg file, correct the prefix for the router that is sending out 
the Router Advertisements. 


Support for Per-interface Hop Metrics 
Problem: Does the Novell IPv6 stack support per-interface hop metrics? 


Explanation: The Novell IPv6 stack does not support per-interface hop metrics. 


Record Name Mismatch 
Problem: In the configuration file, I have encountered a record name mismatch. 
Action: Do the following: 
+ Check the interface name in the record. 
+ Enter config at the server console to see the actual interface. 


Action: When you enter [ Interface All ], check whether a space is missing 
before the closing bracket. 
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Unable to Unload IPv6 nims 
Problem: How do I unload IPv6 NLM™ programs? 


Possible Cause: Applications like JSock.nlm, ping6.nlm, and Sktcp6.nlm are still loaded on 
IPv6. 


Action: To unload IPv6 nlm programs, you need to unload the applications first. 


Pinging a Machine Using its IP4 and IPv6 Addresses 


Problem: I am unable to ping a machine using its IPv4 address and ping (IP v4) and then 
ping the same machine with its IPv6 address and ping6. 


Action: Check the destination address in ping6. 


Configuring the Global Address 


Problem: During IPv6 initialization, it does not configure the global address 
automatically. Do I need to make any modification in the ip6.cfg file? 


Explanation: IPV6 initialization does not configure the global address given in the ip6.cfg 
file. 


Action: Check the interface name. 


Unable to Bind IPv6 with a Driver 
Problem: I am unable to bind IPv6 with my driver. What is the syntax for binding? 


Action: Enter the following at the server console: 


bind ip6 driver name addr address len prefix length 





Pinging by Using a IPv6 Machine 
Problem: How do I ping by using an IPv6 machine? 


Action: Enter ping6 at the server console to get help. 


Monitoring IPv6 Traffic 
Problem: Can I see the IPv6 traffic on the wire? 
Action: Enter sniffer at the server console with the Address_type as Hardware and 
Protocol as IPv6/IP. 
Enabling Ip6router 
Problem: How do I enable ip6router? 


Action: In the ip6.cfg file, set the following parameter: 


Router Yes 


Unable to Ping6 an IPv6-enabled Machine 


Problem: I am unable to ping6 to an IPv6-enabled machine even though it is on the same 
physical network. 
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Action: Do the following: 


+ Check the cable. 


+ Check the destination address. 


Unbinding IPv6 From an Interface 
Problem: How do I unbind IPv6 from an interface? 


Action: Enter the following command at the server console: 


unbind ip6 interface name/driver name 





Disabling the IPv6 Stack 
Problem: How do I disable the IPv6 stack? 
Action: Unload ipv6.nlm. 


Enabling the 6to4 Option 
Problem: How do I enable the 6to4 option? 


Action: Do the following: 


1 In thesys:\etc\ip6.cfg file, under Interface All, set the following 
parameter: 


[ Interface All ] 
6to4 Yes 


2 Reinitialize the system. 


Viewing IPv6 Configuration Information 
Problem: Is it possible to view the IPv6 configuration information? 


Action: Enter ip6config at the server console. 





NOTE: Ipconfig does not show the entire IPv6 configuration. 





Checking Whether IPv6 Is Running 


Problem: Can I do a quick check to see if IPv6 is up and running? 


Action: When you enter ip6config at the server console, it should show a loopback 


interface. 


Action: When you enter ping ::1, you should get a response. 


Transition Mechanism Support 
Problem: What are the transition mechanisms that Novell IPv6 supports? 
Explanation: Novel IPv6 supports the following transition mechanisms: 


+ Dual stack 


¢ Configured tunneling 
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+ Automatic tunneling 
+ 6to4 


6to4 Relay 
Problem: Is 6to4 relay supported? 


Explanation: The Novell IPv6 stack supports 6to4 route configuration. It also supports 6to4 
in the relay configuration if the required routes are manually set in the 6to4 
relay router. 


Time out of Ping6 


Problem: While pinging (ping6) between two machines, communication stops between 
the two. 


Action: Check the reachable time advertised by the rtadvd.cfg file. 


Autoconfiguration by Host 
Problem: The router advertisements are sent but the host is not doing autoconfiguration. 


Action: Check the following: 


+ Autoconfiguration flag in the ip6.cfg file. 
+ M/O flag in the rtadvd.cfg file. 
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Documentation Updates 


+ Section A.1, “November 9, 2009,” on page 53 
¢ Section A.2, “December 2008,” on page 53 

+ Section A.3, “October 2008,” on page 53 

+ Section A.4, “March 20, 2008,” on page 53 

¢ Section A.5, “April 28, 2008,” on page 53 


A.1 November 9, 2009 


This guide has been modified for publication on the NetWare 6.5 SP8 Documentation Web site. 


A.2 December 2008 


+ Updated front file with date. 


A.3 October 2008 


¢ Front file updated with dates. 


A.4 March 20, 2008 


+ Updated the cross-reference for Novell® Netware® IPv6 Administration Guide for OES. 
+ Updated the preface with a section for Audience. 

+ Updated the guide with common edits and structure. 

+ Updated the book to the December 11, 2007 template. 


A.5 April 28, 2008 


+ Updated the book to April 24, 2008 template. 
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